Tuesday, 15 September 2020

How to slash penetration testing cost for web apps & mobile apps

The two most commonly cited reasons by CTOs, software engineering managers and SaaS executives for not conducting a penetration test on their cloud software and mobile apps are:
  1. We've never been hacked - why would we spend on a penetration test?
  2. Penetration testing is too expensive, I can't afford it.

Are you being ignorant about investing in a penetration test?

On face value, both reasons sound reasonable. But let's quickly tackle the first, which I think is a case of ignorance.


Ask yourself, do you only get car insurance for your car after it gets stolen? 

As hackers become more sophisticated and strategic, in many cases companies don't even know they have been hacked for months on end. The recent attacks on Instacart and Nutribullet are classic examples of why it doesn't pay to take a "head in the sand" approach to your application security. 

The risk of being attacked, anecdotally at least, is even higher when you publicise a successful capital raising, investment discussions or acquisition talks. 

As our co-founder Ayush Trivedi put it:
Application security investments are like insurance policies. The annual payments might rankle you, but you end up smiling ear to ear when that same policy helps you dodge one of life's unexpected fires.
Ayush Trivedi, Cofounder & Director, Audacix

In this article I will take you through the penetration test cost for web applications and mobile applications. Penetration tests can also happen for company-wide networks and other devices. Including every type of penetration testing price in this article would turn it into an encyclopedia and to save you the trouble, I've restricted my scope.

What are the different types of penetration testing (security testing) and their costs?

Penetration Testing (sometimes also called ethical hacking or security testing), is a method used to identify vulnerabilities in a computer system or network. There are several different types of penetration testing - they all vary in price and therefore will affect the ROI you extract from your application security project.

Penetration test types for web and mobile applications include black box testing, grey box testing and white box pen testing.

What is a black box penetration test & how much does it cost?

A black box penetration test is the process of using a variety of methods to attempt to infiltrate your network via applications and protocols without prior knowledge of your environment, configurations or login credentials. This type of penetration test is ideal if you want to know how an attacker or an external force would be able to gain access to your network.

It is best compared to the method of having an insurance agent check over your car after an accident, as opposed to a mechanic, who may be able to find hidden issues that were caused by the accident.

Black box pen tests can be done either by manually scanning for open ports and vulnerabilities, or more likely, a combination of automated dynamic vulnerability scanning combined with manual web application penetration testing.

This type of pen test costs the least as it is the quickest and least complex type of penetration test to perform. However, it also finds fewer critical vulnerabilities because of its limited scope.

What is a grey box penetration test and how much does it cost?

A grey box penetration test includes everything that is done in a black box test and exposes vulnerabilities that are hidden behind your application's login. A team of researchers will monitor your site from both the internal and external perspectives, by creating an account and testing the application's security.

Grey box pen tests assume that a users' credentials have been stolen or leaked and helps you understand what damage an attacker could do if they found their way inside your application.

Naturally, because of the extra time and expertise required to peform this, a grey box penetration test price is significantly more than it is for a black box pen test.

Depending on the penetration testing service provider you choose and the specifics of your cloud software, you could pay anywhere from $7000 to $30000 for this type of penetration test.

What is a white box penetration test and how much does it cost?

White box penetration testing is a lot like the grey box variety, except that it goes one step further in exploring the source code of the application in question.

It is based on the assumption that a hacker will usually have access to the source code of the application under test, and will search for vulnerable points within the application that can be exposed.

Because of its scope, this approach is more expensive than a grey box pen test, but it is also more effective in identifying vulnerabilities that are hard to spot via a grey box testing.

How long does a pen test take?

In general, a pen test takes from one to two weeks. However, it could be longer or shorter depending on the level of testing required and the depth of the penetration testing. A pen test report usually takes another week to create, and you will likely need to verify the findings before the test is officially over.

Our web application penetration testing services give you a fixed quote before your pen test kicks off. Your fixed price quote will include retests and also allow your software development team to talk with our security professionals when they have questions.

You don't have to pay exhorbitant daily rates for your pen test. Get your fixed price pen testing quote & find out which type of pen test you need

How often should I perform penetration testing?

Penetration testing should be performed at least once a year. Our security professionals suggest that web application penetration testing should be performed every quarter if your cloud software has a high security risk because of the nature of your customers and users, or a large data set is present.

However, the need to perform more than two annual web or mobile application penetration tests can be mitigated if you have the right application security structure in place.

The correct application security structure includes automated penetration testing (DAST) every time your development team ships new code, ideally in combination with static code analysis. Our security testing experts will be able to guide you as to the most appropriate structure for you. Something that will help you sleep better at night and also one that fits your budget.

Get your fixed price and affordable penetration testing quote and consult to get all the information you need to make an informed decision.

What is the difference between a penetration test & a vulnerability scan?

There is a lot of confusion around these two terms. Penetration testing and vulnerability scanning (also called "automated penetration testing") tend to get used interchangeably by many. In fact, they are two different things.

What is the difference between a vulnerability scan and a penetration test?

Penetration testing is a manual test conducted by an experienced ethical hacker. The security professional will use the same techniques as an attacker including scanning for vulnerabilities and then manually exploiting them. Penetration testing is considered to be more effective, since the tester is not limited by the capabilities of the vulnerability scan tool.

Some of the common penetration test techniques include: Fuzzing, port scanning, OS fingerprinting, etc. Vulnerability scanning, on the other hand, is done through an automated tool which scans the target system.

Common tools for doing vulnerability scanning include Nessus, Acunetix and OpenVAS. However these tools are built for use by cybersecurity experts, people who have years of experience and the right accreditations. These tools are difficult to use so may not be very useful if used by non-cybersecurity experts.

There are very few vulnerability scanning tools that are built to be used by software teams who have little or no penetration testing experience. That's where you'll find that our Cyber Chief automated vulnerability scanning tool is a great fit for your software development workflows because it is user-friendly and gives you detailed fixes for vulnerabilities, including code snippets.

Be careful what you get in the guise of a penetration test report!

There are many companies that have popped up claiming they are penetration test companies. While it is true that these companies can find you vulnerable areas of your web/mobile app and cloud infrastrcuture, they often do so by using simple vulnerability scanners to find these exploits.

The problem with this is that they often use the scanner to look for the most common exploits, which are also the easiest to fix. This means that they're doing you a disservice by not looking for harder to find and fix vulnerabilities.

So when you're partnering with an external web application penetration testing company, make sure you hire one that works with recognised pen testing methodologies and has a syste in place to help you maximise your ROI from the pen test.

Ok, but if I need one, how much does a vulnerability scan cost?

Vulnerability scans are usually offered by third-party organizations and commercial software companies. Typically, a business will pay a yearly upfront fee, and then a per-user fee for every scan made. Prices vary depending on the size of the organization, the number of scans it makes per year, and the benefits it receives.

The Cyber Chief vulnerability scanning tool allows you to perform your own user-friendly, 1-click automated vulnerability assessments. It charges you one flat fee irrespective of the number of scans you run or the number of people in your team who is it.

Plus, it even has DevOps/CICD integrations so that you can run scans straight from your deployment pipelines. Check out the Cyber Chief's automated penetration testing features and pricing here.

Do you want a free trial of a vulnerability scanner that is user-friendly, built for software teams & helps you ship your software with zero known vulnerabilities?

How expensive is a penetration test for web apps?

Most people answer this question in the most simplest terms: that a penetration testing services provider charges x amount for a project, therefore a penetration test costs x amount. 

But it's never that simple. That figure above doesn't consider important contributing factors and the potential costs of inaction (all figures from a recent IBM cyber security survey):

  • It takes companies 197 days to identify and 69 days to contain a breach.
  • The cost alone of notifying customers about a hack averages about $740,000 in the United States.
  • The average cost per lost or stolen record is $148.
  • Companies that deploy security automation have a 55% lower average breach cost than those that don't.
  • On top of remediation costs, you will be fined. Fines will vary depending on where you are based, but if you fall under GDPR regulations then you could be fined €20 million or 4% of your company’s worldwide annual revenue of the previous financial year.
I think you will agree that paying even a 5-figure amount for web app penetration testing is more palatable than shelling out for the costs above!

The one cost that can't be accurately measured is the cost of embarrassment that comes from having to tell your customers that your SaaS has been hacked. Depending on which study you believe, up to 86% of companies will not do business with another company that has had a notifable breach. 

But is there a growth upside to having having a robust application security program?

Absolutely there is and unfortunately this upside is often undervalue or forgotten altogether when SaaS executives evaluate if and when they want to invest in penetration testing. 


Our B2B web application penetration testing clients, particularly those that sell to large enterprises, have reported cutting deal cycle times by up to 33% by being able to demonstrate that they have a robust AppSec program in place.

Some clients have even used their improved security resilience to differentiate their offering in their industry. Can you imagine the confidence your prospects will have in your SaaS solution when you make it a point to talk about your security resilience while your competitors are trying to hide theirs?

The IBM Security survey results presented in the infographic above proves that your sales prospects want the data they store with you to be secure. 

Why not give them what they want by showing them all that you do to protect their sensitive data? Surely that level of assurance can only lead to faster sales and larger deals, right?

Is penetration testing expensive?

It is true that a full, grey-box manual penetration test for a reasonably sized and complex application takes at least week. The security tester is a highly qualified and credentialed expert and they use very specialised and high-tech software (and hardware for when testing mobile apps and IoT devices).

When you consider that, according to IBM, the average cost of an application security breach is north of $3 million, the amount you spend on a pentest for your cloud application will be a fraction of the cost of a breach.

But pen testing projects are like most things in life, you get what you pay for. That's why it's important that your penetration testing service provider asks you the right questions before starting the project. This is why we ask questions like those below to ensure that our clients have the highest ROI from their pentesting projects.

So what is the real price of a penetration test?

Your final penetration testing cost will vary depending on the application that needs the security testing and a few other key questions about the nature of the outcomes you want to achieve, like:

  1. Is your goal just a secure app or are you looking for a different ROI?
  2. Do you know the frameworks against which you want your penetration tests performed?
  3. What outcomes will help your dev team minimise the time they spend fixing security vulnerabilities?
  4. Do you want an automated vulnerability scan or full grey-box penetration testing?
  5. Do you need an ISO 27001 penetration test or SOC 2 penetration test?
  6. What user stories/data in your application do you consider high risk?
  7. How will you ensure that vulnerabilities don't re-appear during future sprints?

With so many variables to consider, you can understand why it is so difficult to provide just one cost for a web or mobile app penetration testing project.

However, as a general rule of thumb, a grey box penetration testing for a very "simple" single server/database web application with less than 10 pages, no publicly exposed APIs and 1-2 user roles will cost you approximately US$5000-$7000. If you are quoted an amount less than this you should ask the pentest service provider serious questions about the robustness, relevance and worth of the pen test that they are quoting you for, because it might just be worthless.

Large, sophisticated and complex applications that have web, plus Android, plus iOS variants can have much higher penetration testing costs. If you have many public API endpoints that will also add to your penetration testing costs, although this will be a very worthwhile exercise because publicly exposed APIs introduce a whole new level of information security risks. Penetration tests for complex and sophisticated applications can cost in excess of $30000.

You can use our free penetration test quote and consultation session to understand your options and see what is possible within your budget.

Just as not all car mechanics are skilled or accredited to work on all types of cars, not all penetration testers have the know-how and experience to conduct penetration tests on all types of cloud applications. 

How can I reduce penetration testing costs for my web application?

This is a great question and unfortunately one that is not asked nearly often enough, despite the fact that bargaining usually doesn't work well in this scenario. 

Contrary to popular belief, penetration testing is just one element (although still an important element) of a cohesive and effective modern application security program. 

You can do three simple things to ensure that your penetration testing expenses are minimised on a per-project basis or because you have to conduct fewer penetration tests throughout the year:
  1. Build application security into your product development process, right from the design phase. Exploit this easy-to-use application security checklist to ensure your team is incorporating all the necessary security controls into your cloud software.
  2. Ensure that your web application and its infrastructure is configured with the right HTTP security headers - these headers are your first line of defence and will help your application repel many attempted attacks. Use this free HTTP security header analysis tool to conduct your audit.
  3. Conduct regular vulnerability scans on your application and infrastructure using smart, cloud-based automated penetration testing tools like Cyber Chief.


Putting this structure in place can be daunting. If you need to get help from application security experts who have helped do this for many companies just like yours, take advantage of our free penetration test consultation and quote process.

You will leave this consult with a clear picture of how each piece of the AppSec puzzle fits together. You will also clearly understand what your team can do by itself to improve your software's security resilience and where you will need help. Last, but definitely not the least, you will be able to get confirmed investment amounts for each part of your AppSec puzzle.